JP4U

GrayFish a malware in HDD firmware

Recommended Posts

Hello.

 

Before all, sorry if my english isn't extraordinary because, i'm a french user of your apps.

 

I've read few days ago that a new type of malware was discovered by the Kaspersky Lab .

It's hidden in the firmware of IBM, Samsung, Maxtor, Western Digital Toshiba and Seagate HDD.

With other malware like Regin or Stuxnet for example, it's seems possible to stole important informations on PC without detection by classic antimalware apps.

 

french source : http://www.numerama.com/magazine/32247-grayfish-un-trojan-dissimule-dans-les-disques-durs-revele-par-kaspersky.html

english article, more technical : http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Kaspersky Lab repport : https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Share this post


Link to post
Share on other sites

Hello,

Thank you for sharing this information. However please remember, just as with about any piece of advanced malware, and especially if this affects firmware; it first needs to be written to disk; that means that it can be intercepted by behavioral detection. For example, Emsisoft products would show a "direct disk access" alert in such a case, allowing the computer user to stop the initial infection.

Share this post


Link to post
Share on other sites

Unfortunally since 2008 and GrayFish's first version, a lot of PC in the world could be infected :

timeline_4_1024-640x374.png

If some of them were used by HDD manufacturers it's also possible that news HDD are infected when you buy a new PC, before you began use it.

 

 

 

 

Share this post


Link to post
Share on other sites

Its important to realize that, if the information is correct, this group and the malware it develops is used to spy for political/economical purposes. It also seems likely that to this effect they (try to) manipulate hardware that will end up at a destination where they might intercept actually interesting information from a political/economical point of view.

 

Its highly unlikely that a typical home user's computer contains such information and the number of reported infections is way too small to support this either. In other words, if I were associated to a government and responsible for security I'd have a close look at this (and I've said it before, undetectable malware does not exist, just as-of-now undetected; with a description as given in the articles you linked to, a security expert would know where to start examining a computer). 

 

In other words, yes this is advanced malware, but no, it is not likely you'll see it on your personal computer anytime soon (that would make it way too prevalent, which would allow security researchers to get their hands on it, which in turn would facilitate detection and removal, which obviously is what this group wants to avoid to all cost0.

Share this post


Link to post
Share on other sites

Reminds me of the "hardware keyloggers" those old days when people start to talk about it as if it a real threat to them but in reality it is not that so serious to any body,  "physical threat"  vs "software threat" , a big difference. For example, let's take any computer operating system, most of them got a way to bypass the "admin"/"root" password, but "PHYSICALLY" means must be someone on the pc to do it,  any way, in real life the "physically attacks" not meant for any body and it's for some VIPs only.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.